OpenVPN
ssl_backend.h
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
31#ifndef SSL_BACKEND_H_
32#define SSL_BACKEND_H_
33
34#include "buffer.h"
35
36#ifdef ENABLE_CRYPTO_OPENSSL
37#include "ssl_openssl.h"
38#include "ssl_verify_openssl.h"
39#define SSLAPI SSLAPI_OPENSSL
40#endif
41#ifdef ENABLE_CRYPTO_MBEDTLS
42#include "ssl_mbedtls.h"
43#include "ssl_verify_mbedtls.h"
44#define SSLAPI SSLAPI_MBEDTLS
45#endif
46
47/* Ensure that SSLAPI got a sane value if SSL is disabled or unknown */
48#ifndef SSLAPI
49#define SSLAPI SSLAPI_NONE
50#endif
51
55struct tls_session;
56
57/*
58 *
59 * Functions implemented in ssl.c for use by the backend SSL library
60 *
61 */
62
71int pem_password_callback(char *buf, int size, int rwflag, void *u);
72
73/*
74 *
75 * Functions used in ssl.c which must be implemented by the backend SSL library
76 *
77 */
78
83void tls_init_lib(void);
84
88void tls_free_lib(void);
89
93void tls_clear_error(void);
94
104#define TLS_VER_BAD -1
105#define TLS_VER_UNSPEC 0 /* default */
106#define TLS_VER_1_0 1
107#define TLS_VER_1_1 2
108#define TLS_VER_1_2 3
109#define TLS_VER_1_3 4
110int tls_version_parse(const char *vstr, const char *extra);
111
118int tls_version_max(void);
119
125void tls_ctx_server_new(struct tls_root_ctx *ctx);
126
132void tls_ctx_client_new(struct tls_root_ctx *ctx);
133
139void tls_ctx_free(struct tls_root_ctx *ctx);
140
148bool tls_ctx_initialised(struct tls_root_ctx *ctx);
149
161bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
162
171void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
172
181void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers);
182
191void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile);
192
201void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups);
202
210void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx);
211
222void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
223 bool dh_file_inline);
224
232void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
233 );
234
250int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
251 bool pkcs12_file_inline, bool load_ca_file);
252
260#ifdef ENABLE_CRYPTOAPI
261void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert);
262
263#endif /* _WIN32 */
264
275void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file,
276 bool cert_file_inline);
277
290int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
291 bool priv_key_file_inline);
292
293#ifdef ENABLE_MANAGEMENT
294
303int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx);
304
305#endif /* ENABLE_MANAGEMENT */
306
322void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
323 bool ca_file_inline, const char *ca_path, bool tls_server);
324
338void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx,
339 const char *extra_certs_file,
340 bool extra_certs_file_inline);
341
342#ifdef ENABLE_CRYPTO_MBEDTLS
349void tls_ctx_personalise_random(struct tls_root_ctx *ctx);
350
351#endif
352
353/* **************************************
354 *
355 * Key-state specific functions
356 *
357 ***************************************/
358
368void key_state_ssl_init(struct key_state_ssl *ks_ssl,
369 const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session);
370
375void
376key_state_ssl_shutdown(struct key_state_ssl *ks_ssl);
377
383void key_state_ssl_free(struct key_state_ssl *ks_ssl);
384
393void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx,
394 const char *crl_file, bool crl_inline);
395
396#define EXPORT_KEY_DATA_LABEL "EXPORTER-OpenVPN-datakeys"
397#define EXPORT_P2P_PEERID_LABEL "EXPORTER-OpenVPN-p2p-peerid"
398#define EXPORT_DYNAMIC_TLS_CRYPT_LABEL "EXPORTER-OpenVPN-dynamic-tls-crypt"
411bool
412key_state_export_keying_material(struct tls_session *session,
413 const char *label, size_t label_size,
414 void *ekm, size_t ekm_size);
415
416/**************************************************************************/
440int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf);
441
457int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl,
458 const uint8_t *data, int len);
459
477int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf);
478
479
503int key_state_write_ciphertext(struct key_state_ssl *ks_ssl,
504 struct buffer *buf);
505
523int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf);
524
529/* **************************************
530 *
531 * Information functions
532 *
533 * Print information for the end user.
534 *
535 ***************************************/
536
540void print_details(struct key_state_ssl *ks_ssl, const char *prefix);
541
552void
553show_available_tls_ciphers_list(const char *cipher_list,
554 const char *tls_cert_profile,
555 bool tls13);
556
560void show_available_curves(void);
561
566const char *get_ssl_library_version(void);
567
568#endif /* SSL_BACKEND_H_ */
key_state_read_plaintext
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
Definition ssl_openssl.c:2288
key_state_write_ciphertext
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition ssl_openssl.c:2273
key_state_read_ciphertext
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
Definition ssl_openssl.c:2259
key_state_write_plaintext_const
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition ssl_openssl.c:2245
key_state_write_plaintext
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition ssl_openssl.c:2229
tls_ctx_set_tls_groups
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition ssl_openssl.c:560
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition ssl_openssl.c:140
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2663
tls_clear_error
void tls_clear_error(void)
Clear the underlying SSL library's error state.
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition ssl_openssl.c:156
show_available_tls_ciphers_list
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
Definition ssl_openssl.c:2548
tls_ctx_server_new
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition ssl_openssl.c:104
show_available_curves
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
Definition ssl_openssl.c:2623
pem_password_callback
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition ssl.c:261
key_state_ssl_free
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition ssl_openssl.c:2214
tls_ctx_load_priv_file
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition ssl_openssl.c:1273
key_state_ssl_shutdown
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
Definition ssl_openssl.c:2208
tls_ctx_load_extra_certs
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition ssl_openssl.c:1949
tls_ctx_check_cert_time
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition ssl_openssl.c:620
tls_ctx_restrict_ciphers_tls13
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
Definition ssl_openssl.c:492
tls_ctx_load_pkcs12
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
Definition ssl_openssl.c:908
tls_ctx_initialised
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
Definition ssl_openssl.c:149
key_state_ssl_init
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition ssl_openssl.c:2168
tls_free_lib
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition ssl_openssl.c:99
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:431
tls_ctx_load_ecdh_params
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:717
tls_init_lib
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition ssl_openssl.c:92
print_details
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
Definition ssl_openssl.c:2515
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:207
backend_tls_ctx_reload_crl
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition ssl_openssl.c:1328
tls_ctx_restrict_ciphers
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
Definition ssl_openssl.c:430
tls_ctx_load_ca
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition ssl_openssl.c:1800
tls_ctx_set_cert_profile
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition ssl_openssl.c:521
tls_ctx_use_management_external_key
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition ssl_openssl.c:1720
tls_ctx_load_cryptoapi
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition ssl_openssl.c:1038
tls_ctx_set_options
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition ssl_openssl.c:310
tls_ctx_load_dh_params
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:656
tls_ctx_client_new
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition ssl_openssl.c:122
tls_ctx_load_cert_file
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
Definition ssl_openssl.c:1259
ssl_mbedtls.h
Control Channel mbed TLS Backend.
ssl_openssl.h
Control Channel OpenSSL Backend.
ssl_verify_mbedtls.h
Control Channel Verification Module mbed TLS backend.
ssl_verify_openssl.h
Control Channel Verification Module OpenSSL backend.
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
key_state_ssl
Definition ssl_mbedtls.h:124
tls_root_ctx
Structure that wraps the TLS context.
Definition ssl_mbedtls.h:103
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:483
Generated by doxygen 1.9.8